aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,685 Commits
8 Branches
169 Tags
241 MiB
main-8.0.x
main
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.4
suricata-7.0.15
suricata-8.0.3
suricata-7.0.14
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0d2268ddfc'
${ noResults }
Commit Graph

11709 Commits (0d2268ddfcc65462a53fc7f27dcc68ae87c8ecf8)

Author SHA1 Message Date
Jeff Lucovsky 0d2268ddfc decode/vlan: Decode upto 3 layers of VLAN 
Issue: 2816

This commit increase the number of VLAN layers supported by Suricata
from 2 to 3. 3-layers are dubbed "Q-in-Q-in-Q".

Note that 3 layers are not compliant with any existing standard but are
often seen in larger deployments.
 3 years ago
Philippe Antoine f346b3fc30 debug: fix list-x command line options with debug 
Debug validation checks that engine is either IPS or IDS.
But listing keywords does not care.
So, setting ids mode

Ticket: #6089
 3 years ago
Lukas Sismis c4b0c2888d dpdk: add support for DPDK Bond PMD 
Ticket: #6099
 3 years ago
Lukas Sismis bb2760d221 dpdk: add device name querying function 3 years ago
Lukas Sismis 2feece601a dpdk: add debug dump of RX offload capabilities 3 years ago
Lukas Sismis 540df3befe dpdk: separate i40e prestop actions from DPKD 19.11 
In DPDK 19.11 Suricata does not setup RSS on i40e driver
with rte_flow. As a result, it should not be deinitializing
RSS configuration with rte_flow as well.
 3 years ago
Lukas Sismis a9b2f79070 dpdk: refactor i40e RSS hash function 
Setting rss_conf->rss_key to NULL and rss_key_len
to zero avoids warnings about register changes
when setting up RSS configuration through RTE flows.
 3 years ago
Lukas Sismis adb427a15c dpdk: minor refactoring in error handling and variable declaration 3 years ago
Victor Julien 6154bab49f flow/worker: minor refactor for app-layer callsite 3 years ago
Victor Julien 8a535a0b89 detect: remove flow drop unittest 
Test broke after recent changes. Functionality is tested in
suricata-verify, so just remove the test.
 3 years ago
Victor Julien 95bf7248e8 detect: add check to validate drops 3 years ago
Victor Julien 418cc1fe94 detect: fix stateful drops for rate_filter 3 years ago
Victor Julien 2a95154712 flow/timeout: no pseudo packets for dropped flows 
When a flow is in the drop flow state, don't use pseudo packets
when it is timing out. There should be no work left to do at this
point.
 3 years ago
Victor Julien d91a1e8bc6 stream: simplify drop handling 
Remove logic to apply flow drop, as this is now handled in the
flow engine.

However, keep the logic that frees/cleans the session state.
 3 years ago
Victor Julien 77f49661fd app-layer: don't update UDP applayer for dropped packets 3 years ago
Victor Julien 85ddba63f6 detect: update/document drop flow logic 
Now that flow drop is applied to packets before other processing,
no drop has to be issued on a packet.
 3 years ago
Victor Julien 71a033ac62 flow: apply flow to packet on flow lookup 
Issue drop to packet as early as possible.
 3 years ago
Philippe Antoine 9287cbc33a http: logs custom headers in a subobject 
This subobject is request_headers or response_headers

This especially avoids json keys collisions.

Ticket: #5320

Also fixes typo referrer/referer
 3 years ago
Victor Julien 5b160d274c flow: spare pool return optimization 
In case small blocks of flows are returned, try to merge
them with existing small list head. Add full block as second
in the list as with the rest of the code.
 3 years ago
Victor Julien afbd4162f2 flow/worker: don't double count flow.wrk.flows_evicted 
Since the queue isn't fully processed every run, double counting
could happen.

Fix by only counting actually processed flows from the queue.
 3 years ago
Victor Julien 73e665f42a flow/worker: batch return flows to spare pool 3 years ago
Victor Julien 91c59ce8f9 flow/manager: minor code cleanup 3 years ago
Victor Julien 1f3b35d048 flow/recycler: batch returns to spare pool 
To reduce locking overhead in the spare pool, batch returns per
100 (spare pool block size).
 3 years ago
Victor Julien 3803cbd0e5 flow/recycler: stats micro optimization 
Don't update stat from loop as it's not read until after the loop.
 3 years ago
Victor Julien fd93f002a0 windivert: fix compile warnings 3 years ago
Jason Ish f8620d0ed2 docs: update url to docs.suricata.io 3 years ago
Victor Julien c6d3b461a6 detect/analyzer: add the type 
Per rule type record properties of the type.

Example output:

    {
        "raw": "alert udp any any -> any any (msg:\"UDP with flow direction\"; flow:to_server; sid:1001;)",
        "id": 1001,
        "gid": 1,
        "rev": 0,
        "msg": "UDP with flow direction",
        "app_proto": "unknown",
        "requirements": [],
        "type": "pkt",
        "flags": [
            "src_any",
            "dst_any",
            "sp_any",
            "dp_any",
            "toserver"
        ],
        "pkt_engines": [],
        "frame_engines": [],
        "lists": {}
    }

Ticket: #6085.
 3 years ago
Victor Julien 2696fda041 detect: use explicit rule types 
Instead of using flags to indicate a rule type, use an explicit `type`
field.

This will make it more clean in code paths what paths a rule is taking,
and will allow easier debugging as well as analyzer output.

Define the following fields:

- SIG_TYPE_IPONLY: sig meets IP-only criteria and is handled by the IP-only
  engine.
- SIG_TYPE_PDONLY: sig inspects protocol detection results only.
- SIG_TYPE_DEONLY: sig inspects decoder events only.
- SIG_TYPE_PKT:    sig is inspected per packet.
- SIG_TYPE_PKT_STREAM: sig is inspected against either packet payload or
  stream payload.
- SIG_TYPE_STREAM: sig is inspected against the reassembled stream
- SIG_TYPE_APPLAYER: sig is inspected against an app-layer property, but not
  against a tx engine.
- SIG_TYPE_APP_TX: sig is inspected the tx aware inspection engine(s).

Ticket: #6085.
 3 years ago
Victor Julien f6f2c22574 detect/pcre: remove redundant applayer flag set 3 years ago
Victor Julien 681b4c3a23 detect: minor cleanup 3 years ago
Philippe Antoine afef35b9dc http: fix leak of normailzed uri 
if tx_ud == NULL, still need to free alloced normailzed uri
 3 years ago
Victor Julien ebe0a7bdc0 streaming: minor guards cleanup 3 years ago
Victor Julien b401fe5259 streaming: fix region buf_offset update 
If region wasn't the first region, the buf_offset could get out of
sync.

Bug: #6041.
 3 years ago
Victor Julien facdbca95b streaming: stricter validation check 3 years ago
Victor Julien cf7cca4950 streaming: fix intersect detection 
Update logic to always use data right edge.

Bug: #5834.
 3 years ago
Philippe Antoine 5fb0b3b8cb fuzz: make targets more resitant to allocation failures 3 years ago
Victor Julien 3247e39f0c flowworker: simplify pseudo packet use 
Pseudo packets originating in the flow worker do not need to leave the
flow worker. Putting those in the ThreadVars::decode_pq will make them
be evaluated by the next steps in the pipeline, but those will all
ignore pseudo packets.

Instead, this patch returns them to the packet pool, while still honoring
the IPS verdict logic.
 3 years ago
Philippe Antoine d47dba27bf all: remove unused literals 3 years ago
Victor Julien 3e0d2ff29a profiling/rules: minor fatal error cleanup 3 years ago
Victor Julien ecc7ec3ea7 profiling/rules: add BUG_ON to profile tracking 3 years ago
Victor Julien 2423b2a483 profiling/rules: simplify return code handling 3 years ago
Victor Julien 835eaf7ccd profiling/rules: minor code cleanup 3 years ago
Victor Julien 2596dc262b profiling/rules: use atomics for rule flag 3 years ago
Victor Julien b591813b86 profiling/rules: reduce sync logic scope 
Use a simple once a second scheme.
 3 years ago
Eric Leblond 8b2313b0ae profiling: socket command to control rules profiling 
This patch adds unix socket command to start and stop the collection
of stats when running in rules profiling mode.
 3 years ago
Eric Leblond ea95e85755 profiling: set sample rate to power of 2 
For the rules profiling, we really want to limit the performance
impact to the maximum. So let's use an hash size that is a power
of 2. This will allow to not use the modulo operation that is
costly and simply use a single binary operator.

This code is only active for rules profiling so we are backward
compatible.
 3 years ago
Eric Leblond df88ef0249 profiling: let 'ruleset-profile' send message 
Let's send the profile output as an answer on the Unix socket.
 3 years ago
Eric Leblond 75b46edd79 profiling: add 'ruleset-profile' unix command 
This patch adds a new unix command that allows the user to trigger
a dump of the ruleset profile to the file without having to stop
Suricata.

This will be really useful to debug performance issue related to
signatures in production environment.
 3 years ago
Eric Leblond 020cfbcd61 profiling: introduce rules profiling 
Performance measurement of rules is important on live Suricata
as bad rules can cause severe performance regression. This patch
introduces the --enable-profiling-rules that activate profiling
for the rules. This reduces the performance impact of full
profiling  and provide visiblity on the rules performance at
the same time.
 3 years ago
Philippe Antoine 656cddcf65 detect: http_client_body for HTTP2 
By using the file.data logic

Ticket: #4067
 3 years ago